- (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from

   larsch@trustcenter.de

diff --git a/ChangeLog b/ChangeLog
index 63f466acf05dfdeaa541578cc3cf4ee6e176ac6f..0b96b476e0fee717b9dc8a8189deff131ec5fce8 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20030825
+ - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from 
+   larsch@trustcenter.de
+
 20030822
  - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal 
    -lbroken; ok dtucker 

diff --git a/scard-opensc.c b/scard-opensc.c
index 4ab87ea8a91deccfaf20586b35d0b0756b6c4c6a..2489fec457da5f90e2a2b77fe3c3c12d0111e44f 100644 (file)
--- a/scard-opensc.c
+++ b/scard-opensc.c
@@ -110,7 +110,8 @@ err:
 /* private key operations */
 
 static int
-sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
+sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out,
+       unsigned int usage)
 {
        int r;
        struct sc_priv_data *priv;
@@ -130,7 +131,8 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out)
                        goto err;
                }
        }
-       r = sc_pkcs15_find_prkey_by_id(p15card, &priv->cert_id, &key_obj);
+       r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, 
+               usage, &key_obj);
        if (r) {
                error("Unable to find private key from SmartCard: %s",
                      sc_strerror(r));
@@ -176,6 +178,9 @@ err:
        return -1;
 }
 
+#define SC_USAGE_DECRYPT       SC_PKCS15_PRKEY_USAGE_DECRYPT | \
+                               SC_PKCS15_PRKEY_USAGE_UNWRAP
+
 static int
 sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
     int padding)
@@ -185,7 +190,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
 
        if (padding != RSA_PKCS1_PADDING)
                return -1;      
-       r = sc_prkey_op_init(rsa, &key_obj);
+       r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT);
        if (r)
                return -1;
        r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, 
@@ -201,6 +206,9 @@ err:
        return -1;
 }
 
+#define SC_USAGE_SIGN          SC_PKCS15_PRKEY_USAGE_SIGN | \
+                               SC_PKCS15_PRKEY_USAGE_SIGNRECOVER
+
 static int
 sc_sign(int type, u_char *m, unsigned int m_len,
        unsigned char *sigret, unsigned int *siglen, RSA *rsa)
@@ -209,7 +217,15 @@ sc_sign(int type, u_char *m, unsigned int m_len,
        int r;
        unsigned long flags = 0;
 
-       r = sc_prkey_op_init(rsa, &key_obj);
+       /* XXX: sc_prkey_op_init will search for a pkcs15 private
+        * key object with the sign or signrecover usage flag set.
+        * If the signing key has only the non-repudiation flag set
+        * the key will be rejected as using a non-repudiation key
+        * for authentication is not recommended. Note: This does not
+        * prevent the use of a non-repudiation key for authentication
+        * if the sign or signrecover flag is set as well. 
+        */
+       r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN);
        if (r)
                return -1;
        /* FIXME: length of sigret correct? */